The only secure password is the one you can’t remember.June 7, 2011 4:00 PMSubscribe

People who use Sony don't make very good passwords. "None of this is overly surprising, although it remains alarming. We know passwords are too short, too simple, too predictable and too much like the other ones the individual has created in other locations. The bit which did take me back a bit was the extent to which passwords conformed to very predictable patterns, namely only using alphanumeric character, being 10 characters or less and having a much better than average chance of being the same as other passwords the user has created on totally independent systems."

"I thought it would be interesting to take a look at password practices from a real data source. I spend a bit of time writing about how people and software manage passwords and often talk about thing like entropy and reuse, but are these really discussion worthy topics? I mean do people generally get passwords right anyway and regularly use long, random, unique strings? We’ve got the data – let’s find out."

You mean "Xbox" is not a good password?posted by Renoroc at 4:07 PM on June 7, 2011

Well, what do you expect? You've got to enter the password on an awkward on-screen keyboard using a joystick. I'm surprised at how many passwords *weren't* just 'asdfgh'posted by schmod at 4:08 PM on June 7, 2011 [19 favorites]

schmod, there's a note at the end of the article that Lulzsec says these passwords came from SonyPictures.com and there is no reason to think this set of passwords was input from a gaming system.posted by des at 4:12 PM on June 7, 2011

Seriously, and this is just off the cuff. There are several others, I'm sure, that I use infrequently but don't recall right now. I know that there are password utilities you can use, but I don't trust an online service provider to have all of my passwords. Thirty passwords seems like a lot, but overall, I don't think it's out of the ordinary.

I really wish I could just use retina scan verification or fingerprint or something for these websites.posted by darkstar at 4:13 PM on June 7, 2011 [14 favorites]

I know that there are password utilities you can use, but I don't trust an online service provider to have all of my passwords.

It's funny how these things are always, "People suck at passwords" and not "Passwords suck at protecting people". One should design systems to take human nature into account; designing a system and then railing against the fact that it would work perfectly if only people weren't so stupid is a recipe for frustration and futility.

This data seems like pretty clear proof that separate-passwords-for-everything is a bad system, because it requires people to do something (maintain a lot of complicated passwords) that people are clearly not interested in doing. And yet the frustration of the writer saturates that whole article, and never once is there any indication that he has considered the possibility that it's the system that sucks and not the people, who are actually just, y'know, behaving like people.posted by mstokes650 at 4:19 PM on June 7, 2011 [103 favorites]

There are several others, I'm sure, that I use infrequently but don't recall right now.

Thirty passwords seems like a lot, but overall, I don't think it's out of the ordinary.

Yep, and my work passwords expire every 30 days and have ridiculous complexity requirements. You know what that means? That's right, sticky note on the screen.

(actually, I use KeePass, but there are a lot of sticky notes on screens, if you walk around the office).posted by empath at 4:24 PM on June 7, 2011

Why aren't users given the choice of opting out of password protection? In nine out of ten cases, I'd gladly forgo security for the convenience of just getting in and doing what I want to do. How did it happen that passwords became mandatory, and not simply a security preference? I'd gladly buy a product that advertised, "Passwords optional!"posted by Faze at 4:25 PM on June 7, 2011 [4 favorites]

Im currently thinking of a virtual arduino based USB keyboard to generate, store and replay awfully long passwords. And that too would be pretty vulnerable i guess.posted by 3mendo at 4:27 PM on June 7, 2011

Why aren't users given the choice of opting out of password protection? In nine out of ten cases, I'd gladly forgo security for the convenience of just getting in and doing what I want to do. How did it happen that passwords became mandatory, and not simply a security preference? I'd gladly buy a product that advertised, "Passwords optional!"

I don't make very good passwords. I have one password that I began using 15 years ago, with the same email all this time, and second password that has 2 extra characters that I've used for at least five years. I've used these everywhere, from secure bank sites to social sites and online stores.

This Sony breach is the kick I needed to change things, and I don't I even have a Sony account. I've updated about a dozen sites so far with unique passwords, just changed my password here too. But now I'm going to go back and add a non-alphanumeric character too.posted by saffry at 4:28 PM on June 7, 2011

separate-passwords-for-everything is a bad system

It's OK if your garage door and library card pins are the same. Not all passwords are equally important. No one wants your garage door password (unless you have a really great garage band).posted by justsomebodythatyouusedtoknow at 4:28 PM on June 7, 2011 [2 favorites]

This data seems like pretty clear proof that separate-passwords-for-everything is a bad system, because it requires people to do something (maintain a lot of complicated passwords) that people are clearly not interested in doing. And yet the frustration of the writer saturates that whole article, and never once is there any indication that he has considered the possibility that it's the system that sucks and not the people, who are actually just, y'know, behaving like people.

I think a lot of people do know the general rules for secure passwords but can't be bothered to follow them. And it's not like it's really that hard to have them down, either (even a complex password can be memorized pretty effectively by just taking a minute or so to type it out a few dozen times in a row). And as multiple passwords go, slight variations on a long enough sequence is very effectively; the passwords don't need to be utterly different from each other (nor are all passwords equally important, as justomebodythatyouusedtoknow pointed out). Not to mention the aforelinked password sites in this thread, among others.

It's how security works, I think. If you can't be bothered to put a sturdy lock on your things, blaming the lock when you get robbed doesn't seem real reasonable.posted by Marisa Stole the Precious Thing at 4:35 PM on June 7, 2011

Are LastPass/1Password really a realistic option for consoles, portables, or any other environment where you need to type the password by hand? I can't imagine typing an 8+ character pass of random characters/punctuation in with a joystick, but maybe people here are doing it.posted by waxpancake at 4:36 PM on June 7, 2011 [1 favorite]

I'd highly recommended that at the very least you keep a strong, separate password on whatever e-mail address you are linking everything to. Don't use any secret question stuff that is googleable or guessable on it either.posted by furiousxgeorge at 4:36 PM on June 7, 2011

I worked on a contract a year or so out of college with extremely anal security procedures. The doors to the building didn't just require a card swipe, they actually had a middle room with sensors to make sure that only one person entered per swipe (to avoid the legitimate problem of people politely holding the door for presumed coworkers).

My passwords on that contract had to be changed every month. They had to be at least ten characters, including mixed case and numerals and punctuation. And they couldn't have more than five consecutive characters in common with any of my five previous passwords.

It wasn't until years later that it occurred to me that they pretty much couldn't have enforced that last restriction unless they were storing my previous passwords in plain text somewhere. Way to padlock the front window and leave the back door open, folks.posted by Riki tiki at 4:37 PM on June 7, 2011 [9 favorites]

it's worked pretty well but I worry the site will go away someday.

"This password generator works using Javascript, entirely within the page, no data is ever passed back to my server. Notwithstanding this, it is a very good idea to save your own copy of this page. Keeping your own copy ensures that the password generator will still be available to you even if this website goes off-line. You can also View-Source and see exactly how the javascript works, copy it to a USB stick, email it to yourself, even upload it to your own website (it's open source.) There are no dependent files, just save as a single HTML file."posted by vidur at 4:38 PM on June 7, 2011 [17 favorites]

It's funny how these things are always, "People suck at passwords" and not "Passwords suck at protecting people".

Well, yeah... Troy Hunt doesn't have the passwords because the passwords weren't good enough.

Seems like complaining about the lock on the gate when the fence is a foot high.posted by pokermonk at 4:42 PM on June 7, 2011 [1 favorite]

It's how security works, I think. If you can't be bothered to put a sturdy lock on your things, blaming the lock when you get robbed doesn't seem real reasonable.

If you need to store a bunch of stuff in separate places and all you can find are combination locks, I think it's reasonable to respond to all the lock manufacturers who tell you their products work great as long as you use a dozen different combinations and never write any of them down with "how about making something that uses a goddamn key?"posted by Holy Zarquon's Singing Fish at 4:47 PM on June 7, 2011 [17 favorites]

it's not like it's really that hard to have them down, either (even a complex password can be memorized pretty effectively by just taking a minute or so to type it out a few dozen times in a row)

No, it really is that hard to have them down. It would be impossible for me to have a secure, unique password for each service that I use. Not only do I use a lot of services, but some of them I only log into infrequently. Memorizing the password initially does not mean I'm going to remember it a month down the road.

Just because memorizing many complex passwords is easy and workable for you, does not mean that it is workable for everybody.posted by Kutsuwamushi at 4:48 PM on June 7, 2011 [8 favorites]

Marisa Stole the Precious Thing: "And it's not like it's really that hard to have them down, either (even a complex password can be memorized pretty effectively by just taking a minute or so to type it out a few dozen times in a row)."

I agree with most of your comment, Marisa, but I'll object to this part. Typing out a long password a few dozen times is a good way to remember it so I can log in tomorrow. But a lot of my accounts are for things like car insurance, where the next time I log in will be six months from now. No reasonable amount of repetition is going to make a complicated password stick with me for that long.

Overall, I sympathize with the argument that it's not the password system's fault that people choose crappy passwords. I just don't think a discussion of blame is particularly useful. If password security is the best we can (practically) do, then so be it, but it's in our interest to operate on the assumption that there's going to be a lot of human failure in that system.posted by Riki tiki at 4:49 PM on June 7, 2011 [5 favorites]

Maybe this is a dumb question, since I am neither a gamer nor a security person, but here goes:

Why do console game systems need passwords anyway? Unlike an email account, which you can access from many computers, you're only using your console, right? So why not use a hardware key (token?). Sony recognizes your console, sees that you're all paid up, and you're now logged in. If someone steals your console, then you do what you do if they'd stolen your wallet - cancel your account.

I mean, I have a work laptop and while I still have to have a password in case of unauthorized users, it knows that my machine = me.posted by desjardins at 4:50 PM on June 7, 2011 [1 favorite]

And they couldn't have more than five consecutive characters in common with any of my five previous passwords. It wasn't until years later that it occurred to me that they pretty much couldn't have enforced that last restriction unless they were storing my previous passwords in plain text somewhere.

They could enforce that restriction without storing passwords by storing hashes of every 6-character substring of the previous passwords.posted by finite at 4:50 PM on June 7, 2011 [1 favorite]

It wasn't until years later that it occurred to me that they pretty much couldn't have enforced that last restriction unless they were storing my previous passwords in plain text somewhere. Way to padlock the front window and leave the back door open, folks.

Not necessarily -- if they had you enter the old password and the new one in the same dialog window, they can do whatever the system does to confirm that the old password is correct, and still have the plaintext handy to check the new password's plaintext against.posted by No-sword at 4:50 PM on June 7, 2011

Writing your passwords down is perfectly reasonable as long as you take minimal precautions on storing them. Anyone who has phsyical access to your machine can do all sorts of things without your password(s) anyway (and many people save logins, etc).

Much better to have a strong password written down somewhere than a weak one in your head. Passwords are largely meant to deter outside attackers.posted by wildcrdj at 4:50 PM on June 7, 2011 [1 favorite]

Oh, wait, any previous password? Okay, that sounds messed up.posted by No-sword at 4:52 PM on June 7, 2011

Why do console game systems need passwords anyway? Unlike an email account, which you can access from many computers, you're only using your console, right?

No, one of the things about console identities is you can log onto them from multiple consoles (a second one in another room, your friend's console if you're visiting someone, etc).

It's exactly like an email address / Facebook identity / etc.

Of course, some people only log in from one console; just like some people only use their Facebook/email from one browser/computer. But it's certainly not the only use-case.posted by wildcrdj at 4:55 PM on June 7, 2011 [1 favorite]

It's funny how these things are always, "People suck at passwords" and not "Passwords suck at protecting people".

It's especially funny considering that not one of these passwords-- not "seinfeld," not "123456," not "9452" (whatever the hell that one's doing there)-- were actually, y'know, cracked, as far as we know. But they were stored in plain text on the server side. The problem here is not that users suck at security, but that Sony's tech people suck at security. They suck even harder at it than some schmuck whose password is "password."posted by dersins at 4:59 PM on June 7, 2011 [17 favorites]

Faze: Why aren't users given the choice of opting out of password protection?

There are two major categories here: personalized sites where identity matters, and shopping sites. The former have passwords so no one can pretend to be you, and the latter have passwords to save your settings (and more easily track your shopping habits, but that's beside the point). Some places do let you shop without a login, and you can let your browser auto-fill the forms (if you have that setting enabled).posted by filthy light thief at 5:04 PM on June 7, 2011

Yeah, that's technically possible finite (and is specifically why I added "pretty much" to my comment). That's not without its own risks, though. IANACryptographer, but that approach turns "crack a ten-letter password" into { "crack five six-letter passwords, knowing that there will be common consecutive characters between them" plus "crack a ten-letter password that is a permutation of the cracked six-letter passwords" }. My hunch is that the complexity of the latter is not nearly as high as the former.

Plus I'm just skeptical that they would've bothered with a solution like that. From what I've seen, "store the five previous passwords so we can make sure they don't reuse characters" is exactly the sort of thing that a non-technical manager might approve, patting himself on the back for increasing security. Even places that pride themselves on their rigorous security policies often have major blind spots.posted by Riki tiki at 5:07 PM on June 7, 2011 [2 favorites]

One of my college professors was ex-Army Intel. (Insert joke here) He was a really great professor and very serious about having people learn by understanding and not just by memorization. He suggested that a password should be at least ten characters. If you needed one that was easily memorized he suggested using a title from a song. Perhaps adding the band name as well. Using the first character of each word. Alternating caps. And ending it with a number and a symbol.

I've used this ever since. It seems to have worked just fine so far. YMMV of course.posted by Splunge at 5:07 PM on June 7, 2011

Yeah, that's technically possible finite (and is specifically why I added "pretty much" to my comment). That's not without its own risks, though. IANACryptographer, but that approach turns "crack a ten-letter password" into { "crack five six-letter passwords, knowing that there will be common consecutive characters between them" plus "crack a ten-letter password that is a permutation of the cracked six-letter passwords" }. My hunch is that the complexity of the latter is not nearly as high as the former.

You guys are adorable.

What actually happens is that an admin in your organization clicks the checkbox in AD that says "store with reversible encryption". Click, done.posted by mhoye at 5:13 PM on June 7, 2011 [4 favorites]

You know, some of us can't do what password systems are designed for in a perfect world. 10 alphanumeric characters? Different for every website? I can't even dial a 10-digit phone number without help. It took me three years to learn my new home phone number and I still don't know my mobile number after seven years. I've had the same passwords (one for banking/secure stuff, one for sites like mefi) and the same PIN for like 18 years. Dyscalculia can't be that uncommon, and there must be other issues that make memorisation and ordering or numbers and letters difficult for people.posted by DarlingBri at 5:15 PM on June 7, 2011 [5 favorites]

This kind of stuff is literally my day job. The state has asked us to increase our password length, and the security team figures we should just up it a bit further so we do this less often. These sorts of hacks are interesting, but they mostly confirm existing research. We know people chose bad passwords; someone last year even ran an Mechanical Turk experiment to gather password statistics.

The truth is, for anything end users actually want protected by passwords, phishing and spear phishing is a far greater threat. We identify dozens of attacks a year, and hundreds of compromised accounts a year, which are bought and sold on the black market.

A lot of this could be solved with better Kerberos on the web, who's absence partially can be blamed on US congress. Basically MIT Kerberos wasn't available outside the US until long after a guy in Switzerland invented this whole HTTP thing. Of course, HTTP is stateless so I can't say that it would have been adopted if available, and there's still the open challenges of federation and ownership of identity.posted by pwnguin at 5:18 PM on June 7, 2011

Splunge--that's exactly what I do. And I end up singing "Oh Lord, won't you buy me a Mercedez Benz?" all day. Or whatever song my password rotation is currently on. Not a bad downside. It's easy to fit in punctuation and caps, usually, so that they're naturally part of the title, either by including a comma or exclamation point, or by turning an A into a 4, etc.

And that works great for the password I need to update every 3 months. But like the others have said above, what about the sites I use (insurance, doctor's offices, etc) that I only use once every six months? By then I've cycled through three--six--a dozen new songs.

For those kinds of things, it'd be SO NICE if I could use a key fob or whatever, wave it at some sensor like I've seen they have at the gas pumps (I assume they still do, it's been a while since I've driven).posted by e to the pi i at 5:20 PM on June 7, 2011

Wow, people whining about having to remember passwords, it seems so retro.

Yes, you really do need to have a scheme for passwords, sorry, it is part of the modern world. Too damn bad if you don't like it.

It is actually very easy, once you accept that it is a necessary thing and that you care. Here's the simple scheme I've told to many many people.

First, pick a stupid password for sites-which-don't-matter. Got a gaming site where if someone hacks you it doesn't matter? Use the stupid password. I like to use flavors of pudding. "chocolatepudding" is a fine password for a site which has no impact if it were hacked.

Second, for sites-which-matter think of a class of things that you can easily and repeatably come up with the same list for. As an example, animals. A = aardvark, t = tomcat. Use that as your mental key. Then, just add an easily remembered prefix to that name for any site. Maybe a suffix too. For example, Amazon might be "23Aardvark!", and Netflix might then be "23Newt!".

It is easy, and simple, and the best thing is you can probably figure out what password you used for any given service.

Or, just use KeepPass, which is what I do, but people are ridiculously resistant to doing for some reason.

Just stop whining that passwords are hard, they aren't, you are just being a whiner. There are plenty of solutions, either the class-of-things method I suggest, or using a program.posted by Invoke at 5:23 PM on June 7, 2011 [3 favorites]

Hard passwords don't matter. Let's say my password was "OL" and you knew it was two letters, both caps. Your odds of guessing that are still over 500 to 1! And you get three tries before your locked out. I have little to worry about.

Until you do a little work on Myspace, Flickr and so forth and figure out where I went to high school, my mothers maiden name and the name of my kitty cat and then use those to reset my password to YoUaReScReWeDnOwDuMbAsS!!!!posted by Kid Charlemagne at 5:29 PM on June 7, 2011

Holy Zarquon's Singing Fish: "If you need to store a bunch of stuff in separate places and all you can find are combination locks, I think it's reasonable to respond to all the lock manufacturers who tell you their products work great as long as you use a dozen different combinations and never write any of them down with "how about making something that uses a goddamn key?""

I've actually made an effort to use secure (well, more secure) passwords for important websites, but metafilter, reddit, and a dozen other things all use some of the same variations.

I don't bother memorizing them - they are written down on a piece of paper. The copy at home has the passwords written out plainly, the copy I carry with me has tweaked the password in a trival way (imagine swapping upper case and lower case letters and you'll have the sort of thing. Trivial to undo in my head).

This seems to work okay and it's only marginally a pain in the ass. Of course, now I need to generate more random passwords and start applying them to more places.posted by It's Never Lurgi at 5:32 PM on June 7, 2011

Wow, people whining about having to remember passwords, it seems so retro.

It's a real imposition. You say have a system, but people aren't usually offered that kind of help. They're usually just given an edict, and told if they don't like it they can quit.

I usually tell people, sure, we know you're going to write it on a post-it note. Just leave that note in your wallet, not on your desk, and don't write your username or our organization name on the same note, and if you lose your wallet, call us.

Sure, passwords don't protect you from everything - they're not even really about protecting anything; for the most part they're about accountability, not security - but passwords can be made reasonably secure with nominal effort, sure, but helping people make that nominal effort, and explaining your reasons for doing so, can build a lot of goodwill among your user base.posted by mhoye at 5:37 PM on June 7, 2011

East Manitoba Regional Junior Kabaddi Champion '94writes"I use LastPass, and they don't have my passwords. They have an encrypted form of my passwords that they cannot decrypt. Only I can decrypt it with my master password, and they don't know my master password."

Isn't LastPass closed source? If so you are taking their word for it.

desjardins iwrites"Why do console game systems need passwords anyway? Unlike an email account, which you can access from many computers, you're only using your console, right?"

Consoles are shared amongest family members each of whom is going to want a separate account.

pwnguinwrites"These sorts of hacks are interesting, but they mostly confirm existing research. We know people chose bad passwords;"

Old existing research. Enigma was cracked in WWII partially because the German army allowed operators to choose their own hash text. The German Navy assigned random hash text and was harder to crack.posted by Mitheral at 5:41 PM on June 7, 2011

Mhoye, it isn't an imposition, it is simply something that many people are too myopic to have thought about. Why is securing-your-own-information an imposition?

I once had a job as a network admin. For fun, I decided to check how many people had bothered to change their default passwords to their email. 8 out of 10 had not. Ouch! This was at a jobsite where there was nasty/evil competition, and several times people had been messed up by having their work stolen. Yet they still did not bother to do the minimum needed to secure the simplest thing, their email.

As a result, I moved to a program where I arbitrarily changed their password to something really evil, a long long string of garbage characters, if I could guess their password. They hated me! Yet it worked. They changed their damn passwords, and it was right for them to do so. Whining doesn't cut it with me, and it shouldn't. "Grow up and figure out a password scheme or use a program."

My daughters, aged 7 and 10 use stronger passwords than 80% of the "professional engineers" I've worked with, just sad.posted by Invoke at 5:48 PM on June 7, 2011 [1 favorite]

I favor using an algorithm. Relatively easy to remember, somewhat unique passwords for every site, and a lot harder to crack.

Come up with a master password. Then combine elements/characters of that password with elements/characters of the website URL using a pattern to identify which characters are used and when.posted by lyam at 5:49 PM on June 7, 2011

Also... no normal length password is safe from a trio of ATI cards running a nice OpenCL cracker. I have something > 26 characters for my pgp key... but... who ever wants to talk in sekrit anyway?

For most of my pws, (coincidentally not on Mefi) I have a formula based on my username and the domain name that I can do in my head to generate an N length pw. It's pretty useful.posted by hanoixan at 5:58 PM on June 7, 2011

Squirrely password policies are not precisely limited to computer passwords, you know: twenty years ago I had a hotel front desk job that required staff to make bookings for guests who might be going on to another of our hotels on their vacation. These calls were, of course, long distance.

At some point, the manager decided that staff had been abusing the long-distance calling capabilities to chat with their counterparts at other hotels. Her solution, after hiring a consultant: telephone passwords for long-distance calls*. So instead of calling the hotel in Montreal by dialing 1-514-xxx-xxxx, we were now obliged to dial star-star-12-1234-98-1-514-xxx-xxxx. But the best part was everyone had the same password. She was unable to grasp why the new security measures did not have the desired effect. When we pointed out that the new measure was meaningless because everyone who wanted to call to chat could still call, it would just take them five seconds longer, she exclaimed, "No, now staff will be responsible, because they have to type in their PASSWORD." We pointed out that everyone had the same password and it slowed us down having to memorize it and dial it fifty times a day. She was dogged: "Look, now staff have to type in their PASSWORD. Everything should be fine now."

Luckily she was fired for general incompetence, and her replacement was a little sharper, so the lengthy code was removed. But decades later, I can still recall it.

*Knowing her style, I am sure I know exactly how this came about. The consultant talked about assigning each user a password, and she wrote PASSWORD on a legal pad and underlined it twice. That was how she rolled.posted by ricochet biscuit at 6:04 PM on June 7, 2011 [1 favorite]

I use LastPass, and they don't have my passwords. They have an encrypted form of my passwords that they cannot decrypt.

LastPass is closed source. How can you be sure?

I use strong passwords for most things, but they really can be difficult to remember for services I don't use very often. I find that it's often easier to use passphrases instead of short alphanumeric passwords with some special characters thrown in--i.e. instead of 8-10 characters use a phrase with some letters substituted in specific ways that people aren't going to guess, like "theAnswermyFr9end0sBlow2n1nThew0nd." I'm not sure why most sites advise users to stick to short cryptic passwords when longer (30+ character) passwords tend to be more secure and easier to remember, and most of the time aren't too much of a pain to type in.

Bruce Schneier advocates writing your passwords down in your wallet since it encourages using passwords that you probably won't remember. If you're serious about it you can write them down in such a way that even if someone finds them they won't be useful, like using the letter two spaces to the right on the keyboard, rearranging them, or writing them in a grid and only using the characters in a certain pattern that you have memorized. This also has the added benefit of telling you exactly when your list of passwords may have been compromised, since you should already be keeping pretty good tabs on your wallet to begin with.

It wasn't until years later that it occurred to me that they pretty much couldn't have enforced that last restriction unless they were storing my previous passwords in plain text somewhere. Way to padlock the front window and leave the back door open, folks.

I have seen similar situations where, despite strong security measures being implemented, one stupid move blew giant holes in all of them. More sites are requiring security questions for account recovery. I guess if you don't know anyone and never tell anyone anything about yourself they can work, but the truth is that most of the time the questions are things that your friends would probably know. So your friends can break into your e-mail without much hassle regardless of whether you have a strong password or not. The worst offenders are the ones that ask you to verify certain account information that needs to be accurate, like your address or date of birth. At least you can enter random numbers for security questions so they're not usable, but I wonder how many of those are stored in plain text.

Recently I found out that Facebook stores your old passwords indefinitely. Not only does it confirm your identity with the e-mail address you entered by showing your name and profile picture, but it tells you the date, time, and location that specific password was changed and gives you an option to recover your password by answering security questions. Who ever thought it would be a good idea to volunteer information about a user for a failed authentication? This isn't even something you can turn off, so the fact that some people completely fail at basic security practices makes everyone vulnerable.

If the people implementing security can't get it right, how much can you really do as an end user? It seems like the solution that many sites have come up with to combat account theft has been to make accounts easier to recover, but this has effectively made them even less secure. So it goes.posted by howlingmonkey at 6:15 PM on June 7, 2011 [1 favorite]

It is part of the modern world. Too damn bad if you don't like it.
This is the cry heard most loudly before someone just fixes the damn problem. Often Apple. I wonder what having a pocket personal computer with all sorts of radios could do for logging in to things?

First, pick a stupid password for sites-which-don't-matter.
This is a great plan until a site that didn't matter when you first signed up to it later turns out to matter a whole lot, either by merging in to some other service, or just becoming valuable to you. If you haven't upgraded your password in the meantime, you're screwed.posted by bonaldi at 6:28 PM on June 7, 2011 [2 favorites]

No, it really is that hard to have them down. It would be impossible for me to have a secure, unique password for each service that I use. Not only do I use a lot of services, but some of them I only log into infrequently. Memorizing the password initially does not mean I'm going to remember it a month down the road.

Ah yeah, good point. What I do is, all my passwords tend to be variations on a theme of one nonsense sequence, so instead of memorizing a bunch of totally different passwords, I need only remember what small variations in the sequence are used for a particular site, regardless of how frequently I go there.

Pet peeve: I seriously doubt people only used one alphanumeric character. What was everything else? Punctuation? I'm guessing that most people hewed to the minimum and only used one numeric character.posted by Ickster at 6:33 PM on June 7, 2011

First, pick a stupid password for sites-which-don't-matter.
This is a great plan until a site that didn't matter when you first signed up to it later turns out to matter a whole lot, either by merging in to some other service, or just becoming valuable to you. If you haven't upgraded your password in the meantime, you're screwed.

So, change the password to a more-secure one at that point? What's the problem?posted by Invoke at 6:34 PM on June 7, 2011

I'm guessing that most people hewed to the minimum and only used one numeric character.

And I'm guessing most of those were a "1" stuck on the end of the old password.

Consoles are shared amongest family members each of whom is going to want a separate account.

OK, I still don't get it. Last time I was at my sister's, her kids were playing with the Wii, and some screen came up with their avatars and I think their names. My nephew clicked on his avatar and started playing. No password, unless I just wasn't paying attention, and he's 5, he wouldn't remember one anyway. I mean, if you can't trust your own family members... ? What is the benefit of going into someone else's gaming profile, besides just being a dick?posted by desjardins at 6:36 PM on June 7, 2011

I once had a job as a network admin. For fun, I decided to check how many people had bothered to change their default passwords to their email. 8 out of 10 had not. Ouch!

I've been a sysadmin for quite a while now; so, you didn't check the box that said, change password at next login? You didn't expire passwords every six months? If not, then don't put that failure on your users.

As a result, I moved to a program where I arbitrarily changed their password to something really evil, a long long string of garbage characters, if I could guess their password. They hated me! Yet it worked. They changed their damn passwords, and it was right for them to do so. Whining doesn't cut it with me, and it shouldn't.

Ah, you're that kind of admin. I understand. You know that what you've done there doesn't actually improve security, right? That you have, in fact, done the opposite?posted by mhoye at 6:36 PM on June 7, 2011 [6 favorites]

I mean, if you can't trust your own family members... ?

Parental controls? The parents accounts are probably set up to be able to do things like watch R rated movies, kids accounts may not be. Also you can tie an account to your credit card. On my XBox, for example, I can buy things just by hitting buttons. If I had kids, I'd probably want that to be behind a password!posted by wildcrdj at 6:42 PM on June 7, 2011

1. You are issued a random alphanumeric password
2. If you don't like it, you can get a different random alphanumeric password
3. You may not choose an arbitrary password
4. If you don't want to memorize it, write it down

I'm with mhoye here. This attitude is why people are computer-phobic. Computers & programs are tools, means to an end, not great gods I need to sacrifice to. People who think users are the problem instead of working to make programs fit their users should find a different line of work. You aren't helping.posted by yerfatma at 6:42 PM on June 7, 2011 [16 favorites]

Who cares if I use weak passwords if I'm more likely to have my account stolen through the companies getting hacked, or via a phishing attempt that I take the bait on? Is there any data out there on how common it is for someone to get hacked via bad passwords vs a different workaround?posted by garlic at 6:44 PM on June 7, 2011 [1 favorite]

I’m not sure a lock (bike lock to vault) is a good analogy to a password. For one, surveillance of the lock it self is used in many physical situations, for example a warehouse. I’m sure the same protocols apply in the computation or ethereal world were, if I understand it, the mechanisms are the similar. (use of key to open a container)

If I have a password, I can enter from almost anywhere.(unless they put the computer in a vault and is checked every time to see who opened it) In the physical world there is only limited entry points. Also, I don’t need a key. I could make one, circumnavigate the lock or pick it. Perhaps similar methods are used in computers but it seems the trail is easier to hide. In other words, breaking into a vault is a more complex task. For instance the Belgium diamond heist years back, it took years to plan and execute. And there is no way it could have been done without the perps being very close for long periods of time. The key was using the physical worlds security weaknesses and finding a way in. As a counter example, how long did this Sony Hack take? What trail was left, was it easy?
Guess that’s why I’m not sure.posted by clavdivs at 6:45 PM on June 7, 2011

I used to have an account at a brokerage company that schall remain nameless. When I tried to pull data from it using Turbotax, it failed to login until I had a hunch and truncated my 20 character password to 8 characters. Success! The site had been silently truncating the first 8 characters and using that, so the strong password "password45**[923]aTy+size20?+HUrfDuRf" would be stored as "password" in the database.posted by benzenedream at 6:46 PM on June 7, 2011 [3 favorites]

As every site in the freaking universe is gradually merging with stuff like Yahoo and Facebook, suddenly, that dumb spam email account you set up with a crappy password 8 years ago to buy stuff off eBay with is the same one you use to access your children's private photos you uploaded on Flickr.

The password you stupidly assigned to your AIM account that you use to chat with camwhores is now no longer valid, and is associated with your Facebook account (you know, the one you signed up for in college? When it was private? And you posted lots of photos of yourself, and your cell number - which you haven't changed - is visible there, and... I'll just stop there.)

It used to be that, yes, you could have N random identities online, and some could be "real" you -- and some could be "NOTyou,NOREALLY!" But I think those days are disappearing.

I've got pretty complicated security password requirements for my work-issued laptop, BlackBerry and to access my 401(k) and paycheck statements online. All four of those things require (at least) 10 characters, including varying cases, alphanumeric characters, and punctuation. ALL of them must be changed every 30 days, or the next login (if it's longer than 30 days). I too have realized that, even when I try to use a password from a year ago, it's not being accepted.

Having worked there close to a decade, in all seriousness, I get SUPER!EXCITED whenever a device breaks or I've had to change my name. That means I don't have to come up with some reasonable permutation of the HUNDREDS of passwords I've had to foment in the past, but damn, I really hadn't thought of them all just sitting out there in a plain text file.

It has taught me to regularly change even my "dumb" online account passwords pretty frequently, though. After all, if my company's worried about financial data being compromised through stolen or lost equipment, why shouldn't I? Am I less personally invested in my financial, social and privacy-related well-being than my employer?

That said, I recently had an account online locked and deleted when I accessed it from Japan and not the US. I had to write a letter to the company to have the account reinstated. I thought that was fairly great, though a pain in the ass (wish I'd known that would happen before I did that; I was never notified).posted by Unicorn on the cob at 6:48 PM on June 7, 2011

yeah, see ,it seems everyone is getting broken into.
maybe it just seems that way. But a real statistic were I live: 1 in every 18 houses is broken into.
That was the lastest stat for the year. Have 1 out of every 18 companies or individuals been hacked?posted by clavdivs at 6:50 PM on June 7, 2011

Well your risk depends on what sites you use, where you work, etc. My company has been the target of frequent high-level attacks, so our work policies are Serious Business as well they should be. If you work for a small business, you're probably at low risk of sophisticated attacks and mostly just vulnerable to stalkers / angry customers.posted by wildcrdj at 6:53 PM on June 7, 2011

So, change the password to a more-secure one at that point? What's the problem?
The problem is you're doing the whole bullshit thing that people have been pointing out of trying to fix the people instead of the problem. People don't choose secure passwords, and they sure as hell don't change them unless forced.

There is nearly always a better solution than hectoring to try and change human nature. This most closely parallels saving and backups. People were told to back up forever and never did. Then Time Machine made it practically invisible, and now people have backups. (Lion does the same thing for saving).

The solution to shit passwords isn't ordering people to get better at it. It's to figure out something else. Especially with GPUs coming along that can crack password hashes with terrifying rapidity.posted by bonaldi at 6:54 PM on June 7, 2011 [1 favorite]

Oh, and for things like your Google account you can use 2-factor authentication if you're concerned about password security. This is one of the things we're required to use on corp accounts.posted by wildcrdj at 6:54 PM on June 7, 2011

I've spent a lot of time trying to figure out the most efficient and secure way to manage unique and strong passwords for every site I log in to. I've read tons of different things about internet security and checked out all kinds of different options, but I've never, ever come across a guide to personal IT security that introduces a user to security from a general strategy to specific tactics. Whenever I read discussions like this, I'm quickly overwhelmed by all the arguments on pros and cons and whose fault it is. I think teaching the average user the aforementioned general strategy and specific tactics would be a better way to increase personal IT security rather than griping about how people should know better. Are there any good sites out there to teach folks about this stuff? (I know, I know, AskMe).posted by sciurus at 6:58 PM on June 7, 2011

It would be impossible for me to have a secure, unique password for each service that I use. Not only do I use a lot of services, but some of them I only log into infrequently. Memorizing the password initially does not mean I'm going to remember it a month down the road.

I used to do this thing where I would shift my hands up one row, then touch-type a simple password, which included the site name somehow. The keyboard-shifted fingers would type out a complex nonsensical password.

But then I found that it was sometimes hard to blind-touch-type with shifted fingers on odd shaped keyboards and I wouldn't be able to get into my sites. I'd have to go find a normal keyboard, type in my password, then write down what I actually typed. People would give me funny looks when they saw me typing on a keyboard that wasn't plugged into anything.

So remember just one master password, and generate a unique password for each site.

The problem with password generators is that if you happen to get keylogged then you've just given up all of your passwords, not just one. You also can't change one password without changing them all. If you absolutely must use some computer-based means to keep your passwords then Password Safe seems like a good solution, but I'd say it's significantly safer to store them in non-electronic form.posted by howlingmonkey at 7:29 PM on June 7, 2011

OK, Mhoye, I'll respond to your holier-than-thou proclamation, what would you do?

As a result, I moved to a program where I arbitrarily changed their password to something really evil, a long long string of garbage characters, if I could guess their password. They hated me! Yet it worked. They changed their damn passwords, and it was right for them to do so. Whining doesn't cut it with me, and it shouldn't.

Ah, you're that kind of admin. I understand. You know that what you've done there doesn't actually improve security, right? That you have, in fact, done the opposite?

Given a situation where 80% are using the default password, how would you help the situation? I'm super happy that I don't do this anymore, it doesn't pay enough, but I'd still love to hear what your solution might have been. My guess is that you don't have a solution, but I'm waiting. I'm happy to admit it if I'm wrong, I'm waiting.posted by Invoke at 7:31 PM on June 7, 2011

desjardins iwrites"OK, I still don't get it. Last time I was at my sister's, her kids were playing with the Wii, and some screen came up with their avatars and I think their names. My nephew clicked on his avatar and started playing. No password, unless I just wasn't paying attention, and he's 5, he wouldn't remember one anyway. I mean, if you can't trust your own family members... ? What is the benefit of going into someone else's gaming profile, besides just being a dick?"

Many teenage siblings routinely grief each other IRL; doing so to each others XBox Live account wouldn't be off limits.

PS: True story: My daughter, at the age of 5, figured out how to change her password to her Windows account all by herself. And then successfully used it to log in for weeks. I didn't realize it till I went to install a new piece of software for her and she got all smarty pants explaining to me that the reason I couldn't log in was because I was typing the wrong thing in the box. I wish even half the users I've had to deal with were as smart as five year old kids. And the new password was way stronger than what I'd given her because it was essentially line noise.

Invokewrites"Given a situation where 80% are using the default password, how would you help the situation?"

Turn on expiration, even just for a single cycle, and then in the future always set the flag that forces them to change it on first use. Time it for any high news profile security breach and management will be on board.posted by Mitheral at 7:37 PM on June 7, 2011

OK Mitheral, good idea, not available in 1990, but a good idea nonetheless.posted by Invoke at 7:42 PM on June 7, 2011

It wasn't until years later that it occurred to me that they pretty much couldn't have enforced that last restriction unless they were storing my previous passwords in plain text somewhere.

They only have to store your old, expired passwords in the clear, though; and if you're choosing passwords in such a way that they're guessable based on your previous passwords, You're Doing It Wrong.

What actually happens is that an admin in your organization clicks the checkbox in AD that says "store with reversible encryption".

Err… if it can be decrypted by the system in order to compare against other passwords, then it's effectively not encrypted.

Who cares if I use weak passwords if I'm more likely to have my account stolen through the companies getting hacked

There's a danger if you share passwords among sites— if you used the same password at Gawker and at your old yahoo account, and that mail account was set as the confirmation address for your bank account's lost-password-recovery procedure…posted by hattifattener at 7:43 PM on June 7, 2011

The biggest result from this paper to me is that 2/3 of the Sony users with Gawker accounts re-used the same password at Gawker and Sony. When Gawker was hacked, a bunch of other sites like Twitter quickly had break-ins as vandals tried out whether people used the same password in many places. Turns out yes, they do, about 2/3 of the time. Awesome.

Passwords are a terrible way to authenticate users. It's time we moved to something better.posted by Nelson at 7:50 PM on June 7, 2011

...those things require (at least) 10 characters, including varying cases, alphanumeric characters, and punctuation. ALL of them must be changed every 30 days, or the next login

We have similar bizarro rules. Have they ever, honestly been shown to work? When every single monitor in the office is festooned with postit password lists?

We have had serious, no-crap intrusions on our networks, some that have even been sucessfull. The most serious were spear-fish social engineering braches though, spoofed mails. Our second most serious was caused by terrible bugs in a " helper" program, which still causes hundreds of people to go to cafes to work around the attachment restrictions on email.

One common feature of all of these attacks though is that they did not try to crack passwords. The takeaway for me is that corporate IT is as willing to play security theatre as any other security group, concentrating on visibility rather than effectiveness.posted by bonehead at 7:50 PM on June 7, 2011 [1 favorite]

One thing worth noting is that in both this and the Gawker case, what's being protected by the login is barely worth anything. (You mean someone can write comments in my name on Gawker, or claim to be me in some Sony movie sweepstakes? Big deal!)

I wonder how the password stats would look if you instead got hold of something people actually care about, like their online banking password.posted by ymgve at 7:56 PM on June 7, 2011 [1 favorite]

I second DarlingBri on the dyscalculia thing. All this "remember the name of a song plus some random capitalizations and squiggly marks and numbers" shit is wasted on me. My friend re-setup my network at home a few years ago and there is no way on this earth that I can recall that fucking password. Guess what, it's written on a piece of paper. As for LastPass, I can't install that at my work, so I still have to magically remember without a piece of paper every fucking password. Or any time I'm at my mom's and need to use her computer. And I probably have passwords on at least 40 sites, at least half of which probably don't really really need high security in the first place. Really, I need a password for that paper doll website? The recipe website? Gah. Who cares if that's hacked?

So what happens is that every time I hit a website, I type in every single fucking password I've ever had since 1997 and hope one of them hits because I can't remember every single one and which website it goes to. That's really awesome.

Human beings just can't fucking remember that complicated of a password, especially if you have to do it for 40+ websites. It's just not gonna work. I think I'm going to have to resort to the paper in my wallet any day now, honestly.posted by jenfullmoon at 7:58 PM on June 7, 2011 [1 favorite]

More sites are requiring security questions for account recovery. I guess if you don't know anyone and never tell anyone anything about yourself they can work, but the truth is that most of the time the questions are things that your friends would probably know. So your friends can break into your e-mail without much hassle regardless of whether you have a strong password or not.

Which is why my mother's maiden name is "bicycle tire juggler", my favorite color is "porky mutton chops" and my pet's name is "mango hooligan the third".

(seriously, i make up stupid answers to those security questions and write them down in my password book (backed up copy in safety deposit box)).posted by storybored at 8:01 PM on June 7, 2011

Things I have strong passwords for: my main email account, my online banking account, my facebook account (it has my phone number available for friends only), anything linked to my credit card, etc. Things I have medium strong passwords for: twitter, various forums. Things I have very weak passwords for: every single stupid online newspaper that requires me to log in to read, epicurious, etc. I say passwords, but I mean password for that last group. Yes, you could break into my epicurious account and . . . delete the stored recipes I have? If you hacked my twitter account, you could tweet stupider stuff than I normally do, or whatever, but I use twitter a lot and would notice quite quickly.

So finding out that my same email address is linked to the same password at the NYT and WaPost is . . . interesting, I guess, but not really informative about password security.

The real question I have now is what these Sony accounts are for that they deserve more than basic passwords?posted by jeather at 8:19 PM on June 7, 2011

Yep, less than 1% of passwords contained a non-alphanumeric character.

Most of us fucking peasants are so fucking stupid that we cannot conceive of something on a keyboard which is not a letter or a number? Heaven forbid.posted by ovvl at 8:21 PM on June 7, 2011

My passwords are atleast 1400 characters long, and known only by my subconscious. Every time I need to type them in I'm required to enter a depp trance-like state. Only after journeying beyond time and space can I autonomically type in the secret key phrases.posted by blue_beetle at 8:25 PM on June 7, 2011 [3 favorites]

Not all sites even allow non-alphanumeric characters in their passwords. That breaks a lot of people's informal algorithms and means that there is that one site which has a different password, so thats, well, annoying.

The university I work for limits passwords on non-email accounts (e.g., what you use to access your paystub, or your research grant, or the library) to EIGHT characters, of which ALL have to be alphanumeric. It's a fucking disaster waiting to happen. Here are their guidelines:

The following rules apply for selecting a NetLink Password or a password for any of your services:

Your password must be 6 to 8 characters long.
You may use capital letters, small (lower-case) letters, and digits but it cannot be ALL CAPITAL LETTERS or all small letters or all digits.
Do not choose a password that can easily be guessed such as anything derived from your name or your NetLink-ID. We will not accept any password which contains an initial sequence of 3 or more characters from your NetLink-ID or any component of your name. The comparison is made in a case-insensitive manner. For example, if your surname was Smith then something like absMi321 would not be acceptable as a password because of the presence of sMi embedded in it.
Do not use a word, no matter how obscure, that can be found in a dictionary.
Your password may not contain a sequence of 3 or more identical characters.

NetLink will check your selected password to see if it follows these rules and it could reject your password choice if it does not follow them. This is done to make it more difficult for anyone to guess your password.

One common strategy, but by no means the only one, is to use the initial letters of a sentence or phrase to form an acronym that will look like a random sequence but will be easy to remember.

I mean, I know nothing about this, but (a) establishing up front that there are either 6, 7, or 8 characters in everyone's passwords must make a hacker's job easier, no? and (b) not allowing symbols just seems stupid and limiting. Some of the other advice is reasonable I guess. I'm thinking of sending them a link to this post and asking them, WTF please?posted by Rumple at 8:45 PM on June 7, 2011

Given a situation where 80% are using the default password, how would you help the situation? I'm super happy that I don't do this anymore, it doesn't pay enough, but I'd still love to hear what your solution might have been. My guess is that you don't have a solution, but I'm waiting. I'm happy to admit it if I'm wrong, I'm waiting.

The "passwd" command, on just about any unix.

You don't use "a" default password, you assign them individually and randomly, when people's accounts are created. Password (min and max) age limits is a feature of "passwd" and has been for a long time - I think I found out about it in 90s with Solaris 5.2, (passwd -x and -n options) but I think it goes back at least as far as Solaris 4.

If you get to that game late, and need to force people to change from a poorly chosen default, "passwd -f" will let you force a password change at the next login. Windows NT has had comparable stuff built in for a long time, but maybe not before 3.5, which is when I first really started in with it. The automation there was a lot less friendly, but there were a few tools available for that too.posted by mhoye at 8:48 PM on June 7, 2011

(Sorry to keep you waiting.)posted by mhoye at 8:48 PM on June 7, 2011

Since you were the one to call me out, I think it is fair to require a better answer than that., Mhoye. Yes, if you use a command-line tool, it will help with password strength. Duh. I get it, the problem is that users don't.

How about a real-world answer, one that will work for people on web apps distributed across several sites using several operating systems?

It isn't quite so simple is it?posted by Invoke at 9:02 PM on June 7, 2011

Invoke, in this instance "passwd" would be run by the administrator on the system(s) the users are logging in TO. Not by the user (although they could, if they wished).posted by coriolisdave at 9:17 PM on June 7, 2011

oh come on. I use 12345 as a password all the time.

I literally can't tell you how many websites I've created a username for. Every single website, you have to have a password. But so often, it just doesn't matter. Better I should just use 12345 than waste the gray cells remembering something complex.

A lot of websites still store their passwords as plaintext. Not just little dinky fly-by-night operations (in fact, many of them use out-of-the-box frameworks rather than rolling their own code, so they're often more likely to be secure since they "outsourced" the security coding in some ways).

I personally love single sign-on. I know there are risks and severe usability problems, but as a developer I love solving the whole login thing by having a user click on a Twitter, Facebook, or Google icon.posted by Deathalicious at 10:10 PM on June 7, 2011

I have different passwords for all my different sites, and I remember 'em all... the secret is to have a pattern that's guaranteed to be memorable and to be hard to crack.

I started to describe mine - but realized this was a bad idea. :-Dposted by lupus_yonderboy at 10:48 PM on June 7, 2011

Between reading this thread and getting Leverage season 3 in Netflix today and watching "The Reunion Job," I have now spent the entire fucking night changing all of my passwords and crying. I have come up with Yet Another New System, but who the fuck knows if I'll remember it either. (Especially when, as some folks have pointed out in the meantime, some sites need to be more special fucking snowflake than others.)

I hate humanity. I just want y'all to know that. I especially want you to know this when I can't remember any passwords tomorrow.posted by jenfullmoon at 10:49 PM on June 7, 2011 [1 favorite]

I would wear a ring which transmits my passcode. Or a badge.posted by maxwelton at 11:10 PM on June 7, 2011

And it's not like it's really that hard to have them down, either (even a complex password can be memorized pretty effectively by just taking a minute or so to type it out a few dozen times in a row).

Just stop whining that passwords are hard, they aren't, you are just being a whiner. There are plenty of solutions, either the class-of-things method I suggest, or using a program.

Yeah. How very nice for you people.

Say, is there any particular thing that you're not so good at?

Do you find it helpful to be told that you're a fucking moron for: having difficult-to-read penmanship, failing to recognize the names of famous tennis players, poor dancing skills/comfort, inability to eloquently explain the relevance of contemporary art for a general audience, botched attempts at poaching an egg, forgetting your great-aunt's birthday...

Really if people can't devise and remember for themselves a simple algorithm to pick out from a pre-set non-denumerable mnemonic array the relevant denotation key for one of no more than about thirty different random 11-place character strings, they don't deserve help, they deserve to be weeded out of the gene pool, amirite?posted by Segundus at 1:00 AM on June 8, 2011 [6 favorites]

Just so the information is in this thread...

I use Clipperz for my password management. It autogenerates convoluted passwords, allows you to download an offline "app" version of the site for use when you're away from the 'net (I put a copy of that on my N900 for access to my passwords anywhere/anywhen), is open-source (and makes the webside code available to download) and (for most sites) will create a "one-button log-on" link. Having tried many other password managers, this one is currently working very well for me.posted by benzo8 at 1:11 AM on June 8, 2011

You have a joystick, a big ass screen, supposedly the most sophisticated "designers" in the world and the best they can come up with is an alphanumeric button system?

Seriously, it's the equivalent of tiller steering in a car.

I remember password security was a topic in my HCI class in college. One group I was mentoring came up with a system that would first present you with a randomly selected image from a nearly limitless bank. You then had to select 4 random areas of that picture, which was divided into about 20 quadrants. Later when you were prompted for your password, you were presented with 9 images, 1 of which was yours. The image had no gridlines but you had to select those 4 originally selected areas in order.

Humans are remarkable at remembering images, particularly when connected with a physical experience and they got 100% recall rate after one week and not one damn letter or number or non-alphanumeric character in the mix. Sure, you could poke some flaws into this student project but it got me thinking about at least a dozen or so variations to tighten it up without compromising usability.posted by like_neon at 1:17 AM on June 8, 2011 [1 favorite]

My passwords on that contract had to be changed every month. They had to be at least ten characters, including mixed case and numerals and punctuation. And they couldn't have more than five consecutive characters in common with any of my five previous passwords.

It wasn't until years later that it occurred to me that they pretty much couldn't have enforced that last restriction unless they were storing my previous passwords in plain text somewhere. Way to padlock the front window and leave the back door open, folks.

if you're actually thinking when you do this sort of thing (which may or may not apply to this contract) you can build systems with the requisite security - the same sort of thing is done, in theory at least, by commercial Certificate Authorities.

for this sort of thing, you build a standalone system, with no network access, and a program listening on a serial port that receives name/password pairs and answers "yes" or "no" as to whether then new password is acceptable. if the answer is "yes" then it stores the new password (in plaintext) along with the other passwords for that name.

there's no remote attack vector against the machine other than the oracle on the serial port, which can be small and well audited. backups can be carried out separately from the normal backup process, and if data is lost then the only downside is people may be able to re-use a password or two.

if somebody needs to do anything with the machine other than ask it "is this password OK for this user" then they get the keys and walk into the machine room and stand in front of it.

not saying that this is how it was done in your case, just that is can be done in ways that don't leave your entire plaintext password database vulnerable to remote theft.posted by russm at 3:11 AM on June 8, 2011

Ah, I thought you were asking me about your originally described situation, and wanted help with passwd.

For "web apps distributed across several sites using several operating systems", Firefox's built-in password manager plus their cross-platform, cross-device sync service solves that problem for you pretty much transparently. It's a free service! And pretty great, too.

You can complement that with a regular old text file on a TrueCrypt volume if you like, also reasonably cross-platform. Again, use one somewhat complex password for that, and then put it on a sticky note in your wallet.

Yes, you really do need to have a scheme for passwords, sorry, it is part of the modern world. Too damn bad if you don't like it.

See...This sort of geek attitude is rooted in their love for complex systems. It's like a badge of honor to brag you have umpteen complex passwords memorized, using some sort of self-made system. It's a game to them. It's the world they live and breathe in. To them, there's nothing really wrong with the system. All you need is to be like them and get into the game.

Sadly, it reveals real disdain and/or dismissal of the other 95% of the population who can't or don't share their enthusiasm for the sort of complexity and attention that the existing password systems require. It's yet another case of "We built this really cumbersome system without considering the needs and habits of the rest of you, the end-users. Deal with it."posted by Thorzdad at 4:37 AM on June 8, 2011 [2 favorites]

the secret is to have a pattern that's guaranteed to be memorable and to be hard to crack.

"Guaranteed to be memorable" is the hard thing here. Over the years, I've had a number of patterns - songs, books, organizations I've been involved with, etc. And over the years, those patterns have changed as my interests and involvements have changed. And when you throw in have to remember which username you've picked for which site, and how that's associated with the particular pattern....Well, it's suddenly not that easy for some of us.

A while back, I accidentally deleted a whole bunch of passwords in the file where I kept them (and no recent backup existed - I know, I know! Shut up!). I was able to recreate most of them - by brute-forcing my memory, and by using the site's reset password function. But some of them were associated with email accounts I'd created specifically for that site, and not only could I not remember the password for that email account, I couldn't remember which fucking email service I'd used. Fortunately, most of those still-unremembered passwords belong to accounts or sites that have turned out to be non-critical. But for some, like a bank account, I needed to remember the security question/answer in order to reset the password. And because I'd been so smart, I'd set the answer to "What is your mother's maiden name?" to....My first pet? My elementary school (which one? I went to four!)? My best friend in college's last name? My favorite brand of shoes?

It's a fact of life that most humans have terrible fucking memories. The system is set up to make us fail, nine times out of ten. That's a poor system.posted by rtha at 4:49 AM on June 8, 2011 [1 favorite]

the problem is humans are bad at "random", and computers are good at "persistent". back when you identified yourself to your bank with a physical book that you presented over the counter, it was much harder for someone in Azerbaijan to present themselves to your bank as you and empty your account.

we all love our conveniences, but you have to authenticate yourself to your bank somehow. and if you use the same password everywhere, you have to trust Sony, and Microsoft, and that hokey webstore where you bought that tshirt, with the password that gets into your online bank. and you have to use a strong password with your email service since that may be all a competent social engineer needs to get your bank to change your password.

so, how do you want to authenticate yourself to your bank? unfortunately "I don't know, but it should be 100% secure and not at all inconvenient for me" isn't an answer.

personally, I use a handful of random passwords, for different security domains (random crap I don't care about at one end, financials at the other, several stages in between). they're written down on a piece of paper in my wallet (since I already know how to secure small valuable pieces of paper in my wallet, AKA cash). the paper doesn't identify the providers the passwords are for or the account names/numbers/etc. there's a copy of that in the safety deposit box with all my other "secure" stuff, in case I lose my wallet or it gets stolen.

so if either of my banks get hacked I'm SOL with respect to the other, but apart from that I think I can live with the risk. and I don't have to remember some algorithm or scheme or whatever, or a thousand different passwords, and my risk is from getting mugged by someone who then decides to try and hack my accounts before I phone my bank to report my credit cards stolen.posted by russm at 5:18 AM on June 8, 2011

The thing that infuriates me about the stupid, arcane and moronic password schemes decribed (and even advocated) above is that they provide essentially no benefit for a high user cost.

The only thing that really matters is length of the password, not using capitals or numerals or what have you. Ensure that people have long enough passwords and be done with it. Allow passwords to have spaces and tell people to use a passphrase they can remember instead. Then do a sensible thing like 3 tries before a 15 minute lockout to slow down attack speeds. Since the crack time on a 10-letter passphrase with 12 tries per hour is essentially infinite, no one ever need change theirs, except in fairly rare circumstances. Job done with much less hate from your users, and you have actual math to back up your estimate of the secuirty risk.

So like I say, current typical IT policies are poorly-thought out fig leafs to real security. They are a casebook example of Security Theatre, and it needs to stop.posted by bonehead at 5:45 AM on June 8, 2011 [2 favorites]

OK, I still don't get it. Last time I was at my sister's, her kids were playing with the Wii, and some screen came up with their avatars and I think their names. My nephew clicked on his avatar and started playing. No password, unless I just wasn't paying attention, and he's 5, he wouldn't remember one anyway. I mean, if you can't trust your own family members... ? What is the benefit of going into someone else's gaming profile, besides just being a dick?

The Wii has barely any kind of user persistence, so it doesn't really need passwords. XBox and Playstation profiles have things like achievements, game history, and credit cards tied to them.

On my home XBox, I have it set to auto-login so I don't have to enter the password every time. But if I ever got a new machine, I could log in to keep all of my current info. I've also got a keyboard attachment to make typing things way way easier, but that's another matter.posted by kmz at 6:51 AM on June 8, 2011

The US treasury's treasurydirect.com has a 3way defense. 1. the individuals user account is entered using the user's standard keyboard. 2, A random keyboard generator creates an onscreen keyboard to enter the user's password which must contain mixed case and punctuation. 3. A hard copy key card which does not show the user's account number or name is mailed to the user and three codes, requested by the site, must be entered from that keycard.

Sure it's belt and suspenders and duct tape, but very secure. OTOH having someone change their password every 30 days is the least secure of all the methods because it leads to easily guessable passwords...Yankees1...Yankees2 etc, or the old reliable Post-It.

IMHO a long password that is not in a dictionary is teh best. eg. "Ta1l0rmadeSh1rt". I'll bet you could use that in any number of places for a good long time.posted by Gungho at 7:19 AM on June 8, 2011

or the old reliable Post-It

I'd say the Post-It gets more flack than it should: if it's stuck on your monitor in your home (assuming no roommates or children you don't want to have it), that's a hell of a lot more secure than 90% of the passwords in this torrent. And you don't fall in love with a random string of characters very often. But it happens. And we're very happy together.posted by yerfatma at 7:40 AM on June 8, 2011

I really wish I could just use retina scan verification or fingerprint or something for these websites.

I dunno... then when people steal your passwords and ID, the 'hackers' appellate will be much more literal.posted by FatherDagon at 7:55 AM on June 8, 2011 [1 favorite]

DEAR LORD. Last night I asked my wife for her password so I could log in and pay off our DISCOVER card. She told me and I asked "Any capitalization in there?" She told me "It doesn't matter."

!? Of course it matters I thought to myself. But no, I have tested it enough to convince myself it does not. Discover is apparently doing a LOWER() on your password. If you have an account, give it a go, see for yourself. I talked to a representative who told me "the site is not case sensitive."

Until Sony quits storying my password in plaintext, and Discover quits doing a LOWER() on my password, don't tell me my passwords are too weak or whatever. I do not see myself as the major problem here.posted by jermsplan at 8:11 AM on June 8, 2011 [1 favorite]

[not remembering passwords]

I still don't grasp this issue. Don't you write them down? Writing them down somewhere non-obvious is really very secure, and that can simply be a filecard or something else. If some guy breaks into my house, he isn't going to be searching my papers for things that might be passwords, he's going to grab cash, my gear, and split - and I'll find out really fast if he does somehow grab my password book, I'm not likely to not notice a break-in! and I can change them, I imagine he'll be more interested in selling my stereo system than ordering books from Amazon.

Or simply make sure to remember your gmail password only, and put up your passwords as a spreadsheet in Google documents. Less secure, but still pretty darned secure, and you have the advantage that you can cut and paste.

But really, writing it on a piece of paper is perfectly good. If you take a few minutes to think it through, you can make it so opaque that you can easily store it in your wallet - say

A: ZonCarrot?? E: BayOnion32. G: WitchWat99!?

meaning your Amazon, Ebay and Gmail passwords - and if your handwriting isn't so good, people will have no idea that it's even a list of passwords - and remember that the average guy who takes your wallet will take the money and ID and throw the wallet out, not try to do detective work on your wallet.

(NONE of these are good strategies for ultra-secure passwords but that's another story...)

> I do not see myself as the major problem here.

OH, yes! I can't agree too much here.

There's only one correct way for consumer sites to handle passwords - that's to have no restrictions whatsoever on the password except "strength" and to report the strength of the password as you create it - in other words, exactly what Google does.

Almost as strong, just a little less convenient, is a similar strategy where you have to submit the password to the server and it tells you whether it's strong enough or not.

One of the sites I must use - and one that should be critical! - has the following password rule - 6 to 8 characters, must contain letters and numbers, and must have one number that's neither at the front nor the end.

The fact is that it's almost impossible to think of a password with such restrictions. I had an interesting chat with one of their reps. online who was pretty receptive - I pointed out that these restrictions make it extremely easy to guess the password and probably 30% of them are common phrases like end2end, boyz2men, man2man.

It's been a year and they haven't changed this. I'm pretty close to writing an "Open Letter" and finding a place to publish it...

The idea of measuring a password as strong is so much more effective than prescribing a specific formula for password creation (except in the case of ultra-strong passwords, where you are often just handed a password from a list of pronounceable, random passwords).

It's paradoxically a negative test. Instead of seeing "Does this password match this pattern that's good?" you say, "Does this password match any of these patterns that are known to be bad?"

So much easier to maintain - if you discover a problem, you simply add a new "bad" rule. So much more convenient for the user - because if you type any old junk it will almost certainly be a valid password if it's long enough.

And, paradoxically, so much easier to explain to the user - "make your password as long as you can and we'll tell you if it's good, avoid these silly mistakes" - you could even give them hints in your error message for weak passwords, "Make it longer", "Add another word", "Add some numbers and punctuation". The positive rules are much harder - hitting some arbitrary pattern is much harder conceptually than avoiding a few arbitrary patterns...posted by lupus_yonderboy at 9:16 AM on June 8, 2011 [1 favorite]

like_neonwrites"Humans are remarkable at remembering images, particularly when connected with a physical experience and they got 100% recall rate after one week and not one damn letter or number or non-alphanumeric character in the mix. Sure, you could poke some flaws into this student project but it got me thinking about at least a dozen or so variations to tighten it up without compromising usability."

There are a couple serious flaws with this scheme. It can't be used at a text terminal and it can't be stored for scripting so you'd have to enter your password every time your mail client connected to the server. However the show stopper is that it wouldn't work for blind users.posted by Mitheral at 9:29 AM on June 8, 2011

I know, right? I mean come on lupus_yonderboy, tell us what you're doing hanging out on a message board for R&B artists who want to learn how to defend the fast break.posted by dersins at 9:53 AM on June 8, 2011

bwahahaha! By trying too hard to reveal my actual password strategy for that site, I certainly wrote myself into a strange corner.

But it does show how the problem constricts your thinking in weird ways. You have so few choices! Either one word is 2 letters and the other 4, or one is 3 and the other is 3 or 4. The fact is that you're sort of constrained into sounding like music groups from the category the industry papers euphemistically call "urban".posted by lupus_yonderboy at 10:26 AM on June 8, 2011

As the joke goes, "I don't need to outrun the bear, I just need to outrun you." Keyloggers are unlikely to spend the time chasing a handful of people who use password generators or safes when they have hundreds of people using variants of "password" and "asdf." And currently, the risk of someone trying to leapfrog into my banking using a password they got from a low-priority social site strikes me as considerably more likely than an attempt to get my master password.posted by KirkJobSluder at 10:28 AM on June 8, 2011

I see where you are coming from now like_neon. Ya that sounds like it would work pretty well in that limited context.posted by Mitheral at 4:36 PM on June 8, 2011

I have a friend who uses gestures to create passwords, something like "hold shift and slide finger down 1-q-a-z, let go of shift, slide finger down 2-w-s-x" as a simple example. He uses more complex gestures, in the shape of letters or whathaveyou. It seems like a good system until you put him on an iOS device, or other virtual keyboard layout.posted by effwerd at 7:40 PM on June 8, 2011

More services need to embrace two factor authentication, everyone has a cell phone these days.posted by dirtyid at 8:45 PM on June 8, 2011

That's not close to being true. 1 in 10 Americans don't have a cell phone

Um, I don't particularly care about this argument, but 90% of people having something (whether they carry it with them or not) actually is pretty damn close to "everyone" having it. Especially given that 90% appears to exceed (by a significant margin) the percentage of Americans who use the internet at all, let alone need passwords.posted by dersins at 10:26 AM on June 9, 2011

Another thing just occurred to me. How many sites send you an email confirming your password with the password in it? What is the sense of that. I get so ticked that I will email them right back pointing out how very stupid they are. Of course I lay it out in very small words so they can understand.posted by Gungho at 10:30 AM on June 9, 2011

Two-factor encryption certainly isn't bulletproof, and has been beaten by some time-sensitive man-in-the-middle attacks. But it certainly raises the bar a bit and if we can only figure out an easier way to do it, it would help.posted by KirkJobSluder at 10:37 AM on June 9, 2011

SecureID is two-factor and it's been hacked. Many governments consider(ed) it good enough for sensitive but not secret data. See backseatpilot's link above.posted by bonehead at 3:28 PM on June 9, 2011

More services need to embrace two factor authentication, everyone has a cell phone these days.
A cell phone, perhaps.
A smart phone? Not even close.posted by Thorzdad at 8:17 AM on June 12, 2011

A "smartphone" is not required. Even the really cheap phones these days run J2ME apps (often this ability is disabled by the carrier, but it's there). They don't have the cpu power or display size to act like an iPhone, but they have more than enough to handle their end of a strong-crypto authentication protocol. Add in BREW and the iPhone and WindowsPhone proprietary islands and you have the vast, vast majority of phones.posted by hattifattener at 5:06 PM on June 12, 2011

A "smartphone" is not required. Even the really cheap phones these days run J2ME apps (often this ability is disabled by the carrier, but it's there).

Disabled by the carrier and (at least in my case) subject to per-use data fees is not what I would consider "available" on my non-smartphone.posted by desuetude at 10:25 PM on June 13, 2011

Does your old button phone do SMS? That's all you need for two factor. Heck, you can do it with a voice phone call if you're desperate.posted by Nelson at 8:37 AM on June 14, 2011

I don't have a cell however my wife's cell does SMS but it costs 15 cents each both sending and receiving. I'd prefer not to spend 30 cents every time I access an account. Especially considering Wikipedia can't seem to remember my account info making me log in every time I go there.posted by Mitheral at 9:55 AM on June 14, 2011

Well, I'm of two minds about this. Blizzard evidently found that the cost of implementing a token-based two-factor authentication system was less than the cost of supporting hacked accounts. On the other hand, the biggest computer security failures lately appear to involve failures of corporate security involving databases of thousands or even millions of accounts. Two-factor may protect you against the random keylogger, but not against Sony, Citicorp, or RSA getting compromised.posted by KirkJobSluder at 11:58 AM on June 14, 2011

Well, Mitheral, we've established an obsolete cell phone with a very limited data plan won't work well for two factor authentication. Awesome. So how about a dedicated token? They cost about $5. Or a paper one time pad?

Obviously you don't want TFA every single time you log into a low value account. But for high value accounts, or occasional verification from new IP address / hosts, it makes a lot of sense. That's essentially what Google has implemented and it seems to be working pretty well.posted by Nelson at 4:45 PM on June 14, 2011

« Older "I'm not a good singer, but I just like it." | Outliers Newer »

Tags

Share

About MetaFilter

MetaFilter is a weblog that anyone can contribute a link or a comment to. A typical weblog is one person posting their thoughts on the unique things they find on the web. This website exists to break down the barriers between people, to extend a weblog beyond just one person, and to foster discussion among its members.